Posntando uma dica. VPN com ipfw

leonardosimas · 23-04-2008, 15:04

Pessoal estou postando uma dica muito simples mais que fez eu perder umas 4 horas por causa de um VPN de um cliente meu...

O cara nao tinha geito de fazer funcionar o VPN ai apos de bater muito achei a seguinte solução

# ipfw -q add allow gre from any to any

so nao funcionava por motivo do protocolo "gre" q nao tinha no meu firewall .......

Tosco mais pode ajudar alguem...

GrayFox · 27-04-2008, 23:57

Se o firewall nao está como default to accept, realmente por padrao nao deveria funcionar pois muitas vpns usam o protocolo GRE para trafegar...

terencerocha · 04-07-2008, 16:06

tb to com um cliente q nao consegue acessar a vpn, preciso liberar algumas portas...tentei com essa regra e foi em vao...como nao manjo muito de freebsd pois ja peguei ele rodando...alguem poderia me dar uma mao? segue o script do firewall

#!/bin/sh
fwcmd="/sbin/ipfw -q"
#
in_if="re0"
out_if="re1"
out_net="200.216.214.8/29"
backbone="192.168.10.0/24{1-100}"
out_ip="200.202.220.2"
dns="192.168.10.1,200.222.0.34,200. 222.0.35"
denied_ip=10.0.0.0/8,172.16.0.0/12,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4
p2p="1214,2323,3306,4242,4661-4672,5555,6257,6346,6667,6699,6881-6999,7778"
netbios="135-139,445"
open_ports="22,25,80,110,1723,2631, 5190,7700" # SSH SMTP HTTP POP INSS MSN
msn="443,1863-1869,7001"
log="log logamount 0"
openip=189.43.239.1,200.254.16.11,2 00.161.73.133,200.201.174.0/24,200.201.162.0/24,200.254.16.11,189.43.239.1 #
voip=200.162.253.93
willian=192.168.13.114
#
#
#
in_net13="192.168.13.0/24"
bw_13_1="1-254"
bw_13_2="190"
bw_13_3="254"
bw_13_4="254"
bw_13_5="114"
#
in_net14="192.168.14.0/24"
bw_14_1="1-254"
bw_14_2="254"
bw_14_3="254"
bw_14_4="254"
bw_14_5="130"
#
in_net="$in_net13,$in_net14"

#
$fwcmd -f flush
$fwcmd -q pipe flush
$fwcmd zero

######################
#Flush out the list before we begin.
#####################
#
#
#
$fwcmd pipe 1 config mask dst-ip 0xffffffff bw 200kbit/s #
$fwcmd pipe 2 config mask dst-ip 0xffffffff bw 300kbit/s #
$fwcmd pipe 3 config mask dst-ip 0xffffffff bw 400kbit/s #
$fwcmd pipe 4 config mask dst-ip 0xffffffff bw 500kbit/s #
$fwcmd pipe 5 config mask dst-ip 0xffffffff bw 999kbit/s #
$fwcmd pipe 10 config mask dst-ip 0xffffffff bw 30kbit/s #

# Rede de NAT
$fwcmd add divert natd all from any to any via $out_if
$fwcmd add skipto 50000 all from any to any via $out_if
$fwcmd add allow all from any to any via lo0
$fwcmd add allow all from any to 127.0.0.0/8
$fwcmd add allow ip from 127.0.0.0/8 to any
$fwcmd add deny all from any to $denied_ip via $out_if
$fwcmd add deny ip from 192.168.10.0/24 to any via $out_if

$fwcmd add allow ip from any to any src-ip $openip
$fwcmd add allow ip from any to any dst-ip $openip
$fwcmd add allow ip from any to any dst-ip $backbone
$fwcmd add allow ip from any to any src-ip $backbone

#DNS
$fwcmd add allow ip from $in_net to any 53
$fwcmd add allow ip from any 53 to $in_net

$fwcmd add allow icmp from any to any
$fwcmd add allow icmp from any to any

#HTTPS
$fwcmd add allow ip from any $msn to any
$fwcmd add allow ip from any to any $msn

$fwcmd add allow ip from $in_net to $voip
$fwcmd add allow ip from $voip to $in_net

$fwcmd add deny ip from any to any $netbios
$fwcmd add allow ip from $in_net to $in_net
$fwcmd add allow ip from $in_net to 192.168.10.50
$fwcmd add allow ip from 192.168.10.50 to $in_net
$fwcmd add allow ip from me to $in_net
$fwcmd add allow ip from $in_net to me
$fwcmd add allow ip from any to any src-ip $willian
$fwcmd add allow ip from any to any dst-ip $willian
#$fwcmd add fwd 127.0.0.1,3128 ip from any to any dst-port 80
$fwcmd add allow ip from any to any src-ip 189.22.112.147
$fwcmd add allow ip from any to any dst-ip 189.22.112.147

$fwcmd add pipe 5 ip from any to any dst-ip $in_net13{$bw_13_5}
$fwcmd add pipe 2 ip from any to any dst-ip $in_net13{$bw_13_2}
$fwcmd add pipe 1 ip from any to any dst-ip $in_net13{$bw_13_1}
$fwcmd add pipe 5 ip from any to any dst-ip $in_net14{$bw_14_5}
$fwcmd add pipe 1 ip from any to any dst-ip $in_net14{$bw_14_1}
$fwcmd add pipe 10 $log ip from any 1024-65535 to any 1024-65535 limit dst-addr 5

#$fwcmd add allow ip from any to any
$fwcmd add pipe 2 ip from any to any
#
#$fwcmd add check-state
$fwcmd add 50000 // REGRAS EXTERNAS
$fwcmd add allow ip from any to any src-ip 189.22.112.147
$fwcmd add allow ip from any to any dst-ip 189.22.112.147

$fwcmd add allow ip from $in_net to any 53
$fwcmd add allow ip from any 53 to $in_net

$fwcmd add allow ip from any $msn to any
$fwcmd add allow ip from any to any $msn

$fwcmd add allow ip from $in_net to $voip
$fwcmd add allow ip from $voip to $in_net

$fwcmd add allow ip from any to any src-ip $openip
$fwcmd add allow ip from any to any dst-ip $openip

$fwcmd add allow udp from any to any 53
$fwcmd add allow udp from any 53 to any

$fwcmd add allow $log ip from any to any established
$fwcmd add allow $log tcp from any to any setup
$fwcmd add deny $log ip from any to any

terencerocha · 04-07-2008, 16:45

preciso liberar as portas udp de 4500 a 5500...

leonardosimas · 04-07-2008, 16:52

Aff...... errei tenta o de baixo....

23-04-2008, 15:04	#1 (permalink)
Posntando uma dica. VPN com ipfw Pessoal estou postando uma dica muito simples mais que fez eu perder umas 4 horas por causa de um VPN de um cliente meu... O cara nao tinha geito de fazer funcionar o VPN ai apos de bater muito achei a seguinte solução # ipfw -q add allow gre from any to any so nao funcionava por motivo do protocolo "gre" q nao tinha no meu firewall ....... Tosco mais pode ajudar alguem... __________________ Leonardo Simas e-mail: leonardo@simastec.com.br	leonardosimas Louco desvairado Usuário Registrado em: Feb 2007 Localização: Santa Catarina Mensagens: 157 Agradeceu: 8 Agradecido 14 vez(es) em 9 Posts Reputação: 37

04-07-2008, 16:06	#3 (permalink)
porta... tb to com um cliente q nao consegue acessar a vpn, preciso liberar algumas portas...tentei com essa regra e foi em vao...como nao manjo muito de freebsd pois ja peguei ele rodando...alguem poderia me dar uma mao? segue o script do firewall #!/bin/sh fwcmd="/sbin/ipfw -q" # in_if="re0" out_if="re1" out_net="200.216.214.8/29" backbone="192.168.10.0/24{1-100}" out_ip="200.202.220.2" dns="192.168.10.1,200.222.0.34,200. 222.0.35" denied_ip=10.0.0.0/8,172.16.0.0/12,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 p2p="1214,2323,3306,4242,4661-4672,5555,6257,6346,6667,6699,6881-6999,7778" netbios="135-139,445" open_ports="22,25,80,110,1723,2631, 5190,7700" # SSH SMTP HTTP POP INSS MSN msn="443,1863-1869,7001" log="log logamount 0" openip=189.43.239.1,200.254.16.11,2 00.161.73.133,200.201.174.0/24,200.201.162.0/24,200.254.16.11,189.43.239.1 # voip=200.162.253.93 willian=192.168.13.114 # # # in_net13="192.168.13.0/24" bw_13_1="1-254" bw_13_2="190" bw_13_3="254" bw_13_4="254" bw_13_5="114" # in_net14="192.168.14.0/24" bw_14_1="1-254" bw_14_2="254" bw_14_3="254" bw_14_4="254" bw_14_5="130" # in_net="$in_net13,$in_net14" # $fwcmd -f flush $fwcmd -q pipe flush $fwcmd zero ###################### #Flush out the list before we begin. ##################### # # # $fwcmd pipe 1 config mask dst-ip 0xffffffff bw 200kbit/s # $fwcmd pipe 2 config mask dst-ip 0xffffffff bw 300kbit/s # $fwcmd pipe 3 config mask dst-ip 0xffffffff bw 400kbit/s # $fwcmd pipe 4 config mask dst-ip 0xffffffff bw 500kbit/s # $fwcmd pipe 5 config mask dst-ip 0xffffffff bw 999kbit/s # $fwcmd pipe 10 config mask dst-ip 0xffffffff bw 30kbit/s # # Rede de NAT $fwcmd add divert natd all from any to any via $out_if $fwcmd add skipto 50000 all from any to any via $out_if $fwcmd add allow all from any to any via lo0 $fwcmd add allow all from any to 127.0.0.0/8 $fwcmd add allow ip from 127.0.0.0/8 to any $fwcmd add deny all from any to $denied_ip via $out_if $fwcmd add deny ip from 192.168.10.0/24 to any via $out_if $fwcmd add allow ip from any to any src-ip $openip $fwcmd add allow ip from any to any dst-ip $openip $fwcmd add allow ip from any to any dst-ip $backbone $fwcmd add allow ip from any to any src-ip $backbone #DNS $fwcmd add allow ip from $in_net to any 53 $fwcmd add allow ip from any 53 to $in_net $fwcmd add allow icmp from any to any $fwcmd add allow icmp from any to any #HTTPS $fwcmd add allow ip from any $msn to any $fwcmd add allow ip from any to any $msn $fwcmd add allow ip from $in_net to $voip $fwcmd add allow ip from $voip to $in_net $fwcmd add deny ip from any to any $netbios $fwcmd add allow ip from $in_net to $in_net $fwcmd add allow ip from $in_net to 192.168.10.50 $fwcmd add allow ip from 192.168.10.50 to $in_net $fwcmd add allow ip from me to $in_net $fwcmd add allow ip from $in_net to me $fwcmd add allow ip from any to any src-ip $willian $fwcmd add allow ip from any to any dst-ip $willian #$fwcmd add fwd 127.0.0.1,3128 ip from any to any dst-port 80 $fwcmd add allow ip from any to any src-ip 189.22.112.147 $fwcmd add allow ip from any to any dst-ip 189.22.112.147 $fwcmd add pipe 5 ip from any to any dst-ip $in_net13{$bw_13_5} $fwcmd add pipe 2 ip from any to any dst-ip $in_net13{$bw_13_2} $fwcmd add pipe 1 ip from any to any dst-ip $in_net13{$bw_13_1} $fwcmd add pipe 5 ip from any to any dst-ip $in_net14{$bw_14_5} $fwcmd add pipe 1 ip from any to any dst-ip $in_net14{$bw_14_1} $fwcmd add pipe 10 $log ip from any 1024-65535 to any 1024-65535 limit dst-addr 5 #$fwcmd add allow ip from any to any $fwcmd add pipe 2 ip from any to any # #$fwcmd add check-state $fwcmd add 50000 // REGRAS EXTERNAS $fwcmd add allow ip from any to any src-ip 189.22.112.147 $fwcmd add allow ip from any to any dst-ip 189.22.112.147 $fwcmd add allow ip from $in_net to any 53 $fwcmd add allow ip from any 53 to $in_net $fwcmd add allow ip from any $msn to any $fwcmd add allow ip from any to any $msn $fwcmd add allow ip from $in_net to $voip $fwcmd add allow ip from $voip to $in_net $fwcmd add allow ip from any to any src-ip $openip $fwcmd add allow ip from any to any dst-ip $openip $fwcmd add allow udp from any to any 53 $fwcmd add allow udp from any 53 to any $fwcmd add allow $log ip from any to any established $fwcmd add allow $log tcp from any to any setup $fwcmd add deny $log ip from any to any __________________ http://mikrotik.blogspot.com terence_rocha@hotmail.com Meu MSN não é pra suporte! Dúvidas utilize o forum!	terencerocha Usuário Registrado em: Nov 2005 Localização: Portugal Distribuição: Ubuntu Hard 8.04 Idade: 31 Mensagens: 476 Agradeceu: 2 Agradecido 52 vez(es) em 47 Posts Reputação: 87

04-07-2008, 16:45	#4 (permalink)
portas... preciso liberar as portas udp de 4500 a 5500... __________________ http://mikrotik.blogspot.com terence_rocha@hotmail.com Meu MSN não é pra suporte! Dúvidas utilize o forum!	terencerocha Usuário Registrado em: Nov 2005 Localização: Portugal Distribuição: Ubuntu Hard 8.04 Idade: 31 Mensagens: 476 Agradeceu: 2 Agradecido 52 vez(es) em 47 Posts Reputação: 87

04-07-2008, 16:52	#5 (permalink)
Aff...... errei tenta o de baixo.... __________________ Leonardo Simas e-mail: leonardo@simastec.com.br Última edição por leonardosimas : 04-07-2008 às 19:50.	leonardosimas Louco desvairado Usuário Registrado em: Feb 2007 Localização: Santa Catarina Mensagens: 157 Agradeceu: 8 Agradecido 14 vez(es) em 9 Posts Reputação: 37

Tópicos Similares
Tópico	Tópico Iniciado Por	Fórum	Respostas	Última Mensagem
Ipfw :-)	netolinux	Proxy/NAT/Firewall	2	27-11-2006 17:59
IPFW MAC	Valois	*BSD	1	22-06-2006 20:15
IPFW	webluc	*BSD	2	15-03-2006 10:54
IPFW	xtr3m3	Proxy/NAT/Firewall	1	22-01-2006 22:14
ipfw	hitmam	*BSD	2	27-08-2004 5:08

27-04-2008, 23:57	#2 (permalink)
Se o firewall nao está como default to accept, realmente por padrao nao deveria funcionar pois muitas vpns usam o protocolo GRE para trafegar...	GrayFox Jack Bauer Mode Moderador Registrado em: Aug 2002 Localização: Santa Catarina Distribuição: *BSD Mensagens: 888 Agradeceu: 5 Agradecido 72 vez(es) em 70 Posts Reputação: 175

Opções do Tópico
Exibir Versão para Impressão Envie essa página por e-mail